Patent Application
20240205123
This application is a U.S. non-provisional application claiming the benefit of French Application No. 22 13599, filed on Dec. 16, 2022, which is incorporated herein by reference in its entirety.
The present invention relates to a method for checking end-to-end integrity for a communication stream communicated within a time-sensitive network.
The invention further relates to a non-transitory computer-readable medium including a computer program associated with the method.
The invention also relates to a communication port of a time-sensitive network, the communication port being a transmitter or receiver, and configured to be located at an end of a communication stream communicated within the time-sensitive network.
The invention further relates to a time-sensitive network (TSN).
The invention belongs to the field of network communication, and more particularly of communication within an avionics network used in aeronautics.
Currently in the field of avionics, only the solution based on the use of the ARINC 664 P7 standard as implemented within the Ethernet network called AFDX™ (Avionics Full Duplex switched ethernet) makes it possible to have a redundant network communication system, which provides at the same time: maximum jitter, that the content is authentic and apt to withstand repetitive transmissions caused, e.g., by a failure or a cyber-attack causing, e.g., a denial of service.
The developments according to the Ethernet standards of the time-sensitive Network (TSN) group of the IEEE address most of the needs in terms of determinism, bandwidth guarantee and redundancy of an aeronautical network.
However, such time-sensitive Ethernet networks currently fail to cover certain properties of the ARINC 664 P7 standard implemented within an AFDX™ network, namely the properties relating to the robustness to malfunctions of network equipment, which remain incompletely covered.
More precisely, the ARINC 664 P7 standard implemented within an AFDX™ network requires in particular that a switch, having a Design Assurance Level (DAL), guarantees the transmission of frames without alteration, hence without the ability to re-compute the Cyclic Redundancy Check (CRC).
The ability to meet such a requirement associated with the AFDX™ network is very difficult to demonstrate within standard IT products, also called COTS (commercial off-the-shelf) products, which can reconstruct an Ethernet frame and have the CRC calculation function for supporting certain protocols such as the IEEE802.1Q VLAN tagging.
In addition, the ARINC 664 P7 standard implemented within an AFDX™ network provides the specification of robustness capabilities against very specific defects such as the repetition, on the part of a transmitter, of the same frame or the discontinuity of a transmission sequence. Such a specification is not addressed within the Ethernet standards of the TSN group of IEEE.
The ARINC 664 P7 standard implemented within an AFDX™ network has the drawback of being implemented only by proprietary IT equipment conforming to the AFDX™ network that is more expensive than COTS products and not optimal in terms of bandwidth.
The subject matter of the invention is to remedy the drawbacks of the prior art by proposing an alternative solution to AFDX™ network communication while also addressing the same requirements in terms of robustness against network equipment malfunctions.
To this end, the invention proposes a method of checking the integrity of an end-to-end communication stream communicated within a time-sensitive network TSN, the time-sensitive network TSN being an avionics communication network, the method including:
Thereby, the present invention proposes the adoption of an end-to-end principle, for verifying that any communication within a communication stream within the time-sensitive network TSN is integrated, implementing first of all a prior allocation of a virtual identifier to each communication stream configured to transit within the network, such virtual identifier being known to each communication port, transmitter or receiver, configured to be located at one end of a communication stream.
It should be noted that during transmission as such, such a virtual identifier is not transmitted and hence does not transit through the network, unlike the transmitted message including at least the payload, the value of the counter of transmitted messages, and the transmission aggregate.
It is thus impossible to intercept, maliciously, such a virtual identifier during the transmission of a message or to imagine a failure making it possible to guess the identifier, which drastically reduces the risk of reconstitution of the transmission aggregate, the transmission aggregate requiring, for being determined (i.e., obtained by computation), to know the virtual identifier combined with the value of the counter of transmitted messages and with the payload.
The method of checking end-to-end integrity of a communication stream communicated within a time-sensitive network TSN proposed according to the invention can further have one or a plurality of the features below, taken independently or according to all technically feasible combinations:
A further subject matter of the invention is a computer program including software instructions which, when executed by a computer, implement a method of checking the end-to-end integrity of a communication stream communicated within the time-sensitive network TSN, as defined hereinabove.
Thereafter, the reference to a computer program which, when executed, performs any of the above-mentioned software instructions, is not limited to an application program being executed on a single host computer.
In other words, the terms computer program and software are used thereafter in a general sense to refer to any type of computer code (e.g., an application software, a firmware, a microcode, or any other form of computer instruction) which may be used for programming one or a plurality of processors in order to implement the method of checking the end-to-end integrity of a communication stream communicated within a time-sensitive network TSN.
The invention further relates to a communication port of a time-sensitive network TSN, the communication port being a transmitter or a receiver, and configured to be located at an end of a communication stream communicated within the time-sensitive network TSN, the communication port including a set of elements dedicated to implementing at least in part, the above method of checking the end-to-end integrity of a communication stream, the set of elements including:
The communication port proposed according to the present invention may also have the features according to which the set of elements, dedicated to implementing at least in part the above method of checking the end-to-end integrity of a communication stream, may be activated/deactivated.
The invention further relates to a time-sensitive network TSN, the time-sensitive network TSN being an avionics communication network and the network including at least two communication ports as described hereinabove.
Other features and advantages of the invention will be clear from the description thereof which is given below as a non-limiting example, with reference to the enclosed figures, among which:
As indicated hereinabove,
Such a communication port 10 is configured to be in transmitter mode or in receiver mode, and is configured to be located at an extremity (i.e., at an end) of a communication stream communicated within the time-sensitive network TSN.
Communication port 10 according to embodiments of the present invention includes a set 12 of elements dedicated to implementing, at least in part, the method of checking the end-to-end integrity of a communication stream as detailed thereafter with reference to
According to the present invention, set 12 of elements includes firstly a memory storage space 14 dedicated to the storage of a virtual identifier, thereafter called VID, for a transmitter communication port (i.e., in transmission mode), and VID′ for a receiver communication port (i.e., in reception mode), of each communication stream configured to be communicated within the time-sensitive network TSN.
Furthermore, set 12 of elements includes, when communication port 10 is a transmitter communication port (i.e., in transmission mode), a device 16 for transmitting message(s) configured for transmitting at least one message within a communication stream.
Such a transmission device 16 includes, according to embodiments of the present invention, for each message transmitted within the communication stream, a counter 18 of transmitted messages the value of which is configured for being incremented at each transmitted message. Subsequently, the value of the counter of transmitted messages is called SN (Sequence Number).
In addition, such a transmission device 16 further includes, according to embodiments of the present invention, a module 20 for determining a transmission aggregate, hereinafter called HASH, for integrity check.
Such a HASH transmission aggregate is obtained by a determination module 20 from (i.e., using) at least three distinct types of information corresponding to:
In addition, transmission device 16 further includes, according to embodiments of the present invention, a module 22 for transmitting as such the message. More precisely, such a transmission module is configured for transmitting within the stream, the sent message including at least the payload, the value SN of the counter of transmitted messages, and the transmission aggregate HASH.
According to an aspect illustrated by
According to a particular example, counter 18 of transmitted messages and module 20 for determining a transmission aggregate are each produced in the form of a software program, or a software package, executable by processor 28 of electronic transmission device 16 according to the present invention. Memory 26 of electronic transmission device 16 is then apt to store a software for counting transmitted messages and a software for determining a transmission aggregate. Processor 28 is then apt to execute each of the software.
In a variant (not shown), counter 18 of transmitted messages, and module 20 for determining a transmission aggregate are each produced in the form of a programmable logic component, such as an FPGA (Field Programmable Gate Array), or further of a dedicated integrated circuit, such as an ASIC (Application Specific Integrated Circuit).
When electronic transmission device 16 is produced in the form of one or a plurality of software programs, i.e., in the form of a computer program, same is further apt for being recorded on a computer-readable medium (not shown). The computer-readable medium is, e.g., a medium apt to store electronic instructions and to be coupled to a bus of a computer system. As an example, the readable medium is an optical disk, a magneto disk, a ROM memory, a RAM memory, any type of non-volatile memory (e.g., EPROM, EEPROM, FLASH, MVRAM), a magnetic card or an optical card. A computer program containing software instructions is then stored on the readable medium.
Moreover, set 12 of elements includes, when communication port 10 is a receiver communication port (i.e., in reception mode), a device 30 for receiving message(s) configured for receiving at least one message within another communication stream (i.e., distinct from a communication stream the communication port of which is, e.g., in parallel, also transmitter).
Reception electronic device 30 includes, for each message received within the other communication stream, firstly a counter 32 of received messages.
In addition, electronic reception device 30 further includes a module 34 for receiving the message. Reception module 34 is configured for receiving the message within the other stream, the received message including at least the payload thereof, a value SN of the counter of transmitted messages associated with the received message, and a transmission aggregate HASH also associated with the received message.
Furthermore, electronic reception device 30 also includes a module 36 for determining a reception aggregate HASH′ for integrity check.
Such a reception aggregate HASH′ is obtained by determination module 36 from (i.e., by using) at least three distinct types of information corresponding to
In addition, electronic reception device 30 further includes a module (38) for checking end-to-end integrity configured for checking the end-to-end integrity by comparing the transmission aggregate HASH with the reception aggregate HASH′, a difference between the transmission aggregate HASH and the reception aggregate HASH′ activating rejection of the received message, whereas on the other hand, when the transmission aggregate HASH and the reception aggregate HASH′ are identical, the received message is accepted.
As an optional addition electronic reception device 30 further includes a module 40 for checking correct sequencing, configured for determining whether the value SN of the counter of transmitted messages is equal to the current value SN′ of the counter of received messages plus one or plus two (i.e., such that SN=SN′+1 or such that SN=SN′+2), and then for accepting the received message, the value SN′ of the counter of received messages then being updated by becoming equal to the value SN of the counter of transmitted messages. If, on the other hand, module 40 for checking the correct sequencing detects that SN≠SN′+1 or SN≠SN′+2 in order to be tolerant to the loss of a message, the message received is rejected.
In other words, as soon as HASH≠HASH′ the message is rejected for integrity failure.
If HASH=HASH′, but SN≠SN′+1 or SN≠SN′+2, then the message is also rejected for sequence failure.
It should be noted that in the particular case of a restart (i.e., reset) of electronic reception device 30, the value SN′ is initialized by the value SN of the first message received after the restart (i.e., reset) and no check of correct sequencing is then implemented for the first message received after the restart (i.e., reset).
In other words, when no message has been received, SN′ is not yet initialized, and the first message received with the value SN of the counter of transmitted messages is accepted by default.
According to an aspect illustrated by
According to a particular example, counter 32 of received messages, module 36 for determining a reception aggregate, module 38 for checking end-to-end integrity, and optionally module 40 for checking correct sequencing, are each implemented in the form of a software program or a software brick which may be executed by the processor of the device according to embodiments of the present invention. Memory 44 of electronic reception device 30 is then apt to store a software for counting received messages, a software for determining a reception aggregate, a software for checking end-to-end integrity, and optionally a software for checking correct sequencing. Processor 46 is then apt to execute each of the software.
In a variant (not shown), counter 32 of received messages, module 36 for determining a reception aggregate, module 38 for checking end-to-end integrity, and optionally module 40 for checking correct sequencing, are each produced in the form of a programmable logic component, such as an FPGA (Field Programmable Gate Array), or further in the form of a dedicated integrated circuit, such as an ASIC (Application Specific Integrated Circuit).
When electronic reception device 30 is produced in the form of one or a plurality of software programs, i.e., in the form of a computer program, same is further apt for being recorded on a computer-readable medium (not shown). The computer-readable medium is, e.g., a medium apt to store electronic instructions and to be coupled to a bus of a computer system. As an example, the readable medium is an optical disk, a magneto disk, a ROM memory, a RAM memory, any type of non-volatile memory (e.g., EPROM, EEPROM, FLASH, MVRAM), a magnetic card or an optical card. A computer program containing software instructions is then stored on the readable medium.
As an optional addition, the transmission aggregate and the reception aggregate are obtained using the same aggregate determination function, the aggregate determination function providing only irreversible aggregates.
According to an advantageous option of the optional addition, the aggregate determination function is a hash function.
According to a first optional variant, the hash function is an SHA-1 function, e.g., 80 bits long.
According to a second optional variant, the hash function is an SHA-2 function, e.g., 112 bits long, or further an SHA-2 function such as SHA-256, SHA-512, SHA-224, SHA-384, etc.
It should be noted that to date such SHA hash functions are not integrated into the UDP/IP and Ethernet protocols used, and that such an implementation is thus not obvious for a person skilled in the art.
As an optional addition, the set 12 of elements, dedicated to implementing at least in part the method of checking the end-to-end integrity of a communication stream as described thereafter with reference to
In
It should be noted that element 48 also makes it possible to activate the transmitter mode or the receiver mode of the communication port by making electronic transmission device 16 active and making electronic reception device 30 inactive, respectively, for the transmitter mode, and, on the other hand, making transmission electronic device 16 inactive and making electronic reception device 30 active for the receiver mode, when the two modes are not implemented in parallel for the communication of two distinct streams where the communication port shown in
According to other variants (not shown), communication port 10 is only a transmitter (i.e., in transmission mode only) and in such case does not include reception device 30 described hereinabove, or communication port 10 is only a receiver (i.e., in reception mode only) and in such case does not include transmission device 16 described hereinabove.
Moreover, according to another variant (not shown), when the communication port is “single-mode”, memory storage space 14 is then integrated within transmission device 16 if communication port 10 is only a transmitter (i.e., in transmission mode only), or is integrated within reception device 30 if communication port 10 is only a receiver (i.e., in reception mode only).
As an alternative to
An example of the operation of an end-to-end integrity check of a communication stream communicated within a time-sensitive network TSN according to an embodiment of the invention will now be described hereinafter with reference to
More precisely, method 50 for maintaining integrity of end-to-end positioning of a communicated communication stream implemented within the time-sensitive network TSN includes, first of all, a first preliminary phase 52 of virtual allocation A_VID of a virtual identifier to each communication stream configured to be communicated within the time-sensitive network TSN, the virtual identifier being known only to each communication port, transmitter or receiver, configured to be located at one end of the communication stream and stored within the dedicated memory storage space 14 as illustrated with reference to
For example, a communication stream F1 corresponds to a data stream, between a first transmitter communication port P1 (i.e., in transmission mode), at one end of the data stream F1, and a second receiver communication port P2 at the other end of the data stream F1 and is identified with the VID=VID′=63, while a communication stream corresponding to a video stream F2 between the two same ports P1 and P2 is identified with a distinct identifier such that VID=VID′=65.
According to another example, another communication stream F3 corresponds to a data stream between the first transmitter communication port P1 (i.e., in transmission mode), at one end of the data stream F3, and a receiver communication port P3 at the other end of the data stream F3 and is identified with the VID=VID′=91, etc.
Then, for each message to be transmitted, method 50 for maintaining end-to-end integrity of a communication stream includes a phase 54 of transmission E, implemented by a transmitter communication port (i.e., in transmission mode) located at one end of the communication stream considered.
Transmission E phase 54 includes, in particular, the operations described hereafter for each message transmitted within the stream considered.
A first operation 56 of incrementation I_SN of the value SN of a counter 18 of transmitted messages is implemented by the transmitter communication port (i.e., in transmission mode) located at one end of the communication stream considered.
Then, according to an operation 58, the transmitter communication port (i.e., in transmission mode), located at one end of the communication stream considered, implements, via determination module 20, the determination D_HASH of a transmission aggregate integrity check HASH obtained from a triplet of elements of a distinct nature, namely the virtual identifier VID of the communication stream known by the transmitter communication port (i.e., in transmission mode), the value SN of the counter of transmitted messages, and the payload to be transmitted as such within the message.
Then, according to an operation 60, the transmitter communication port (i.e., in transmission mode), located at one end of the communication stream considered, implements, via transmission module 22 thereof, transmission EM as such of the message, within the stream, the transmitted message including at least the payload, the value SN of the counter of transmitted messages, and the transmission aggregate HASH.
A phase 62 of reception R of the message is implemented by a receiver communication port (i.e., in reception mode) located at the other end of the communication stream, the receiver communication port (i.e., in reception mode) including, as seen previously with reference to
Reception R phase 62 includes the operations described thereafter, for each received message described in the stream under consideration.
Firstly, within phase 62, a first receiving operation RM 64 of the message, within the stream is implemented, the received message including at least, as indicated hereinabove, the payload, the value SN of counter 18 of transmitted messages, and the transmission aggregate HASH.
Then, according to an operation 66, the receiver communication port (i.e., in reception mode) located at the other end of the communication stream implements, via determination module 36 thereof, the determination D_HASH′ of an reception aggregate integrity check HASH′, obtained from a triplet of elements of a distinct nature, namely: the virtual identifier VI′ of the communication stream known to the receiver communication port (i.e., in reception mode), the value SN of the counter of transmitted messages, received within the received message, and the payload received.
Reception phase 62 then includes an operation 68, implemented by the receiver communication port (i.e., in reception mode) located at the other end of the communication stream, via control module 38 thereof, for end-to-end integrity check C_I by comparing the transmission aggregate HASH with the reception aggregate HASH′.
Indeed, in case of integrity, the virtual identifier of the known VID stream stored on the transmitter communication port side (i.e., in transmission mode) is identical to the VID′ stored on the receiver communication port side (i.e., in reception mode), the stream identifier advantageously never transiting as such within the network when transmitting a message, which drastically reduces the risk of accidental reconstitution of a correct check aggregate from data corrupted during transport.
As a result, in case of integrity, for the same message transmitted via the communication stream considered, the transmission aggregate HASH is identical to the reception aggregate HASH′, and the corresponding received message is accepted (i.e., preserved).
On the other hand, during comparison step 68, a difference between the transmission aggregate HASH and the reception aggregate HASH′ activates rejection of the received message. In other words, if the integrity check fails because HASH≠HASH′ then the message is ignored due to integrity failure.
According to a particular variant, the transmission aggregate HASH and the reception aggregate HASH′ are obtained by using the same aggregate determination function, the aggregate determination function providing only irreversible aggregates.
According to an advantageous option of the optional addition, the aggregate determination function is a hash function. Such a hash function is dissimilar to the cyclic redundancy check (CRC) function, which is also conventionally used to check the integrity of frames.
Among the hash functions, the algorithms of the SHA (Secure Hash Algorithm) family make it possible to meet the need for obtaining irreversible aggregates, the SOC (System on Chip) systems henceforth providing an acceleration of the hardware of the hash functions, in particular cryptographic functions, which facilitates the use thereof.
According to a first optional variant, the hash function is an SHA-1 function, e.g., 80 bits long.
According to a second optional variant, the hash function is an SHA-2 function, e.g., 112 bits long, or an SHA-2 function such as SHA-256, SHA-512, SHA 224, SHA-384, etc., the size of the hash value having to result from a compromise with the cost on the size of the payload.
As an optional addition, reception phase 62 further includes an operation 70 of checking the correct sequencing according to which, if the value SN of the counter of transmitted messages is equal to the value SN′ of the counter of received messages plus one or plus two (i.e., SN=SN′+1 or SN=SN′+2) then the received message is also accepted, and the value SN′ of the counter of received messages is then updated by becoming equal to the value SN of the counter of transmitted messages. Such an option makes it possible to exploit the received value SN of the counter of transmitted messages, in order to check the correct sequencing, in addition to the integrity check previously described, and thereby to resynchronize quickly by losing only one message, the message received corresponding to a continuous sequence evolution so that the message is accepted.
On the other hand, if SN≠SN′+1 or SN≠SN′+2, then the received message is rejected for sequencing failure.
A person skilled in the art would understand that the invention is not limited to the embodiments described, nor to the particular examples of the description, the above-mentioned embodiments and variants being suitable for being combined with one another so as to generate new embodiments of the invention.
The present invention thereby proposes a network communication solution suitable for the requirements of avionics, by taking advantage of the advantages of a time-sensitive network TSN, in terms of cost and bandwidth while being robust against the malfunctions of network equipment.
Moreover, the adoption of the end-to-end principle proposed according to the present invention, which distributes, optionally in an activatable/deactivatable way, the integrity check only on the transmitter and receiver communications ports of the network located at each end of the communications stream, also makes possible the cohabitation of traffic with integrity check and of traffic without integrity check, increasing the level of flexibility of the use of the network.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2213599 | Dec 2022 | FR | national |
